Overview

overview

10

Static

static

3

d0ce786501...18.exe

windows7-x64

10

d0ce786501...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2024, 05:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0ce786501047d3c6e40fa1555580df0_JaffaCakes118.exe

  • Size

    90KB

  • MD5

    d0ce786501047d3c6e40fa1555580df0

  • SHA1

    ef7cc60bbf26e27d880ba374afda332edb8aa002

  • SHA256

    b306f45b363f1d938f48fa54350c6b46a8e8f03f7d3f765f702f4d22a743c9ed

  • SHA512

    220ff4b69568ff6fada3defee9ef059260252a7d4de4779ae628f7cf6402ebe6ed8e171fcd340903ad36ab94e97b7fd55f341ea650e24240aff2bc278778624c

  • SSDEEP

    1536:E7/R8RHzreA5Kj2WcM+UqTa/XFXhNJ9Yme6/6W7KGgIIH9VY:LzCXjNqTa/1kdIeGgIIY

Score
10/10
ponycollectioncredential_accessdefense_evasiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://ldepteu.pw:4915/way/like.php

http://kclkeuy.pw:4915/way/like.php

Signatures

  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Drops file in Drivers directory 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0ce786501047d3c6e40fa1555580df0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ce786501047d3c6e40fa1555580df0_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:2084
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\drivers\etc\hosts.sam /Y && at 05:14:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259465527aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
      2⤵
      • Drops file in Drivers directory
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\SysWOW64\at.exe
        at 05:14:00 /every:M,T,W,Th,F,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259465527aq C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts"
        3⤵
        • Hide Artifacts: Hidden Files and Directories
        • System Location Discovery: System Language Discovery
        PID:2760

Network

  • flag-us
    DNS
    ldepteu.pw
    d0ce786501047d3c6e40fa1555580df0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ldepteu.pw
    IN A
    Response
  • flag-us
    DNS
    kclkeuy.pw
    d0ce786501047d3c6e40fa1555580df0_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    kclkeuy.pw
    IN A
    Response
No results found
  • 8.8.8.8:53
    ldepteu.pw
    dns
    d0ce786501047d3c6e40fa1555580df0_JaffaCakes118.exe
    56 B
     121 B
     1
    1

    DNS Request

    ldepteu.pw

  • 8.8.8.8:53
    kclkeuy.pw
    dns
    d0ce786501047d3c6e40fa1555580df0_JaffaCakes118.exe
    56 B
     121 B
     1
    1

    DNS Request

    kclkeuy.pw

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2084-0-0x0000000000404000-0x0000000000409000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2084-1-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2084-2-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2084-3-0x0000000000404000-0x0000000000409000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2084-4-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2084-10-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.